

File Ref. No.:OA0011 



VERIFICATION OF TRANSLATION 



I hereby declare and state that I am knowledgeable of the Japanese and English 
languages and that I made and reviewed the attached translation of the attached 
patent application entitled "REWRITING SYSTEM FOR VEHICLE 
CONTROLLER" from the Japanese language into the English language, and 
that I believe my attached translation to be accurate, true, and correct to the best of 
my knowledge and ability. 




, 2003. 



Date: 




Signature 



Yukari Hirano 



Printed name 



JAPAN PATENT OFFICE 

This is to certify that the annexed is a true copy of the following 
application as filed with this Office. 



Date of Application: April 13, 2000 

Application Number: JP 2000-112125 

Applicants: Honda Giken Kogyo Kabushiki Kaisha 



April 20, 2001 



Commissioner, 
Japan Patent Office 



(Seal) 



Certificate No.: Shutsushoutoku 2001-3032707 



Document Name' Patent Application 

Document Number: H100033301 
Date: April 13, 2000 

To: Commissioner, Japan Patent Office 

International Classification: F02D 45/00 

Inventor(s): 

Address: c/o K.K. Honda Gijutsu Kenkyusho 

4-1, Chuo 1-chome, Wakoshi, Saitama, Japan 
Masanori MATSUURA 



Name: 
Inventor(s): 

Address^ 

Name: 
Inventor(s): 

Address: 

Name: 
Applicant: 
ID: 

Name: 
Attorney: 
ID: 



c/o K.K. Honda Gijutsu Kenkyusho 

4-1, Chuo 1-chome, Wako-shi, Saitama, Japan 

Naohiko MIZUO 

c/o K.K. Honda Gijutsu Kenkyusho 

4-1, Chuo 1-chome, Wako-shi, Saitama, Japan 

Tetsuya YASHIKI 

000005326 

Honda Giken Kogyo Kabushiki Kaisha 



100081721 
Patent Attorney 
Name: Tsuguo OKADA 

Official Fee: 

Account No.: 034669 
Fee: ¥21,000 
Accompanying Documents: 



Object 
Object 
Object 



Specification 

Drawings 

Abstract 



Proof: 



Yes 



JPA 2000-112125 
(Priority Document) 

[Document Name] Specification 

[Title of the Invention] Rewriting system for vehicle controller 
[Claims] 

[Claim l] A rewriting system for rewriting data stored in a memory of a 
vehicle controller with new data transferred from a rewriting device, the 
rewriting device comprising an offline determination means for 
determining that communication is offline if a response time of the 
vehicle controller exceeds a first predetermined time and an offline 
prohibiting means for prohibiting the offline determination until a 
response time of the vehicle controller exceeds the first predetermined 
time and then reaches a second predetermined time when deleting or 
writing operation on the memory is being performed. 

[Claim 2] The rewriting system of claim 1, wherein the rewriting device 
further comprises a means for acquiring from the vehicle controller a time 
necessary to delete the data in the memory or write the new data into the 
memory prior to the deleting or writing operation, wherein, when the 
deleting operation is performed, the acquired time necessary to delete the 
data in the memory is set in the second predetermined time, and wherein, 
when the writing operation is performed, the acquired time necessary to 
write the new data into the memory is set in the second predetermined 
time. 

[Detailed Description of the Invention] 
[0001] 

[Technical Field of the Invention] 

The present invention relates to a system for rewriting a program 
stored in a memory of a vehicle controller with other program transferred 
from an external rewriting device. 
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[0002] 
[Prior Art] 

Vehicles are subjected to various types of control by electronic 
control units (hereafter referred to as "ECU"). Such control includes 
5 engine-related control of an air fuel ratio, fuel injection amount, and 
emission as well as body-related control of a power window, an air bag, 
and an ABS. The ECU provides various types of control for the vehicle 
based on current conditions and traveling conditions of the vehicle sensed 
by various sensors mounted on the vehicle. 
10 [0003] 

The ECU comprises a central processing unit (CPU), a ROM (Read 
Only Memory) that stores programs and data to be executed, a RAM 
(Random Access Memory) which provides a work area for execution and 
which stores results of computation, and an input/output interface for 
1 5 receiving signals from various sensors and transmitting control signals to 
various parts of the engine. 
[0004] 

A system is known wherein a rewritable and non-volatile memory, 
such as a flash memory, an EEPROM ,is used as the ROM to allow data 

2 0 stored in the ROM to be rewritten. Such a system typically comprises a 
rewriting device, an ECU and a serial communication path connecting 
them together. Rewriting is achieved by deleting data stored in the 
non-volatile memory mounted on the ECU and writing new data 
transferred from the rewriting device via serial communication into the 

2 5 memory By way of example, Japanese Patent Application Laid-Open No. 
63*223901 describes a method for changing a program stored in the 
EEPROM of the ECU in response to a request from an external device via 
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a SCI (Serial Communication Interface) terminal with the ECU being 

mounted on the vehicle. 

[0005] 

Generally, deleting and writing operation on a non-volatile memory 
5 such as a flash memory and EEPROM requires a relatively large amount 
of time. When there is no response from the ECU for a predetermined 
period, the rewriting device determines that communication between the 
ECU and the rewriting device is offline. A typical method wherein the 
rewriting device acquires the result of the deleting operation or writing 
10 operation after they are initiated is shown in FIGS. 6 and 7. FIG. 6 is a 
flow chart showing the deleting and writing process performed by the 
rewriting device, and FIG. 7 is a flow chart showing the deleting and 
writing process performed by the ECU. 
[0006] 

15 In response to a request for deleting operation or writing operation 

from the rewriting device (step 501 or 521), the ECU sends a signal to the 
rewriting device indicative of start of deleting operation or writing 
operation (step 552 or 562) and performs the deleting or writing operation 
(step 553 or 563). In response to the signal indicative of start of deleting 

2 0 operation or writing operation, the rewriting device requests the result of 
the deleting operation or writing operation (step 505 or 525). If the 
deleting operation or writing operation is being performed, the ECU 
sends a signal to the rewriting device indicating that the deleting 
operation or writing operation is in progress (step 556 or 566). If the 

2 5 deleting operation or writing operation has been completed, the ECU 
sends a signal indicative of completion of the deleting operation or writing 
operation (step 557 or 567). 
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[0007] 

At step 509 or 529, if the response from the ECU indicates that the 
deleting or writing operation is in progress, the process returns to step 
505 or 525. If the response from the ECU indicates that the deleting or 
5 writing operation has been completed, the process proceeds to the 
following step 510 or 530. In this way, the rewriting device determines 
whether deleting or writing operation is being performed or has been 
completed by sending a request for the result of the deleting or writing 
operation and by receiving a response to the request. Even if the deleting 
10 or writing operation is being performed, an erroneous determination of 
offline is not made as long as there is a response from the ECU. 
[0008] 

FIG. 8 shows typical two forms of a non-volatile memory mounted 
on the ECU. FIG. 8(a) shows a form in which a flash memory 16, which is 

15 a non-volatile memory, is provided independently of a CPU 14. In other 
words, the flash memory 16 is mounted on a chip different from the CPU 
14. The flash memory 16 is coupled to a chip of a microcomputer where 
the CPU is mounted via an external bus 5. When the ECU 10 receives a 
request for deleting or writing operation on the flash memory 16 from the 

2 0 rewriting device 11, the deleting or writing operation on the flash memory 
is performed by an input/output controller (not shown) that controls 
input/output through the external bus 5. In this way, since deleting or 
writing control on the flash memory is performed independently of the 
CPU, the CPU does not become busy during deleting or writing operation. 

2 5 [0009] 

FIG. 8(b) shows another form in which the flash memory 16 and the 
CPU 14 are provided on a single chip to constitute one chip 
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microcomputer. The flash memory 16 is coupled to the CPU 14 via an 
internal bus 7. Deleting or writing operation is performed by an interface 
means incorporated in the CPU as a function. In this case, the CPU may 
become busy during deleting or writing operation. When the CPU is busy, 
5 the ECU 10 may be unable to communicate with the rewriting device 11. 
[0010] 

[Problems to be Solved by the Invention] 

Recently, in order to reduce costs relating to the ECU, a 
microcomputer including a non-volatile memory, as shown in FIG. 8(b), 

10 has been increasingly employed. As described above, in this form, a CPU 
may become busy during deleting or writing operation on a non-volatile 
memory. When the ECU is busy, it may not respond to a request for the 
result of deleting or writing operation from the rewriting device. As a 
result, even though the communication line is normal, the rewriting 

1 5 device may erroneously determine that the communication is offline if a 
response from the ECU has not been received within a predetermined 
period. 
[0011] 

Therefore, the invention solves the above problems. It is an object 
2 0 of the invention to provide a rewriting system capable of avoiding an 
erroneous determination of offline when deleting or writing operation on 
a non-volatile memory is being performed in the ECU. 
[0012] 

[Means to Solve the Problem] 

2 5 In order to solve the above problems, the invention as defined in 

claim 1 provides a rewriting system for rewriting data stored in a memory 
of a vehicle controller with new data transferred from a rewriting device, 
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the rewriting device comprising an offline determination means for 
determining that the communication is offline if a response time of the 
vehicle controller exceeds a first predetermined and an offline prohibiting 
means for prohibiting the offline determination until a response time of 
5 the vehicle controller exceeds the first predetermined time and then 
reaches a second predetermined time when deletion or writing operation 
on the memory is being performed. 
[0013] 

According to the invention of claim 1, an erroneous determination 
10 that the communication line is offline can be avoided when deleting or 
writing operation on a memory of the vehicle controller is being 
performed. 
[0014] 

The invention as defined in claim 2 provides the rewriting system 
15 of claim 1, wherein the rewriting device further comprises a means for 
acquiring from the vehicle controller a time necessary to delete the data 
in the memory or write the new data into the memory prior to the 
deleting or writing operation, wherein, when the deleting operation is 
performed, the acquired time necessary to delete the data in the memory 
2 0 is set in the second predetermined time, and wherein, when the writing 
operation is performed, the acquired time necessary to write the new data 
into the memory is set in the second predetermined time. 
[0015] 

According to the invention of claim 2, since an offline determination 
2 5 is made based on an appropriate time necessary to perform the deleting 
or writing operation acquired from the vehicle controller when deleting or 
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writing operation is being performed, the accuracy of the offline 

determination is improved. 

[0016] 

[Embodiment of the Invention] 

A system for rewriting a program stored in a non-volatile memory 
of a vehicle controller will be described referring to the drawings. The 
present invention, however, is not limited to the system but is applicable 
to various systems for rewriting various data stored in a memory. 
[0017] 

FIG. 1 shows a general functional block diagram of a rewriting 
system according to the invention. The rewriting system comprises an 
ECU 10 and an external rewriting device 11. The rewriting device 11 is a 
rewriting device authorized by a manufacturer of vehicles on which the 
ECU 10 is mounted. By connecting the rewriting device 11 to the ECU 10 
via a serial communication bus and operating the rewriting device 11, 
security for preventing information such as a program and data stored in 
the ROM 16 of the ECU 10 from being rewritten without proper 
authorization is released. Thus, the rewriting device 11 is allowed to 
rewrite a program and data stored in the ROM 16. 
[0018] 

The ECU 10 comprises a central processing unit 14 (hereafter 
referred to as a "CPU") including a microcomputer and associated circuit 
elements, ROMs 16 and 17 which are non-volatile memories and which 
store programs and data, a RAM 15 (Random Access Memory) which 
provides a work area for execution and which stores results of 
computations, and an input/output interface 18 for receiving signals from 
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various sensors 19 and transmitting control signals to various parts of the 

engine. 

[0019] 

Signals from various sensors 19 include an engine rotation speed, 
5 an engine water temperature, an intake air temperature, a battery 
voltage, and an ignition switch. Thus, based on a signal input from the 
input/output interface 18, the CPU 14 invokes a control program and data 
from the ROMs 16 and 17 to execute computations, and outputs the 
results to various parts of the vehicle via the input/output interface 18 to 
10 control various functions of the vehicle. 
[0020] 

The ECU 10 also comprises an interface 12. The interface 12 has a 
protocol for communication with the rewriting device 11 to enable serial 
communication between the ECU 10 and the rewriting device 11. 
15 [0021] 

The rewritable ROM 16 is a non-volatile memory from which stored 
data can be deleted and to which new data can be written. The rewritable 
ROM 16 can be, for example, a flash memory or an EEPROM. The 
non-rewritable ROM 17 is a non- volatile memory where stored data 

2 0 cannot be changed. The non-rewritable ROM 17 can be implemented by 
specifying a part of the memory area of a rewritable ROM (such as a flash 
memory or EEPROM) as an unchangeable area, or by using a mask ROM 
for which data is fixed during manufacturing and from or to which data 
can subsequently not be deleted or written. Alternatively, the ROM 17 can 

2 5 be implemented with a PROM to which data can be written only once. 
[0022] 
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The ROMs 16 and 17 can be implemented as two memories that are 
physically separated. Alternatively, the memory area of a single memory 
may be divided into two areas so that one of the areas is used as a 
rewritable area, while the other is used as a non-rewritable area. In the 
5 latter case, for example, after a non-rewritable area in which a program 
or the like is stored has been specified in an EEPROM, a rewritable area 
is specified with start and end addresses in the unfilled space of the 
memory. 
[0023] 

10 A program PI, which is to be rewritten by the rewriting device 11, 

is stored in the rewritable ROM 16. Programs that implement an 
authentication part 33, an initialization part 34, a deleting part 35 and a 
writing part 36 are stored in the non-rewritable ROM 17. The 
authentication part 33 judges whether the rewriting device 11 is 

15 authentic. If it is judged that the rewriting device is authentic, the 
authentication part 33 releases the security. The initialization part 34 
performs an initialization process for starting deleting and writing 
operation. The deleting part 35 deletes the program PI that is an object of 
the rewriting operation. The writing part 36 receives a new program P2 

2 0 from the rewriting device 11 and then writes it into the ROM 16. 
[0024] 

The ECU 10 also comprises a deleting time calculating part 37 and 
a writing time calculating part 38. The deleting time calculating part 37 
calculates the time necessary to delete the program PI. A unit time of 
2 5 deletion, which can be expressed, for example, in blocks or bytes, depends 
on the type of the ROM. That is, a unit time of deletion is predetermined 
in accordance with the specification of the ROM 16. The deleting time 
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calculating part 37 calculates the deleting time DT based on the size of 
the program PI and a unit time of deletion specific to the ROM 16. 
[0025] 

The writing time calculating part 38 calculates the time necessary 
5 to write the new program P2 received from the rewriting device 11. As is 
the case for deletion, a unit time of writing depends on the type of the 
ROM, and is predetermined in accordance with the specification of the 
ROM. The writing time calculating part 38 calculates the writing time 
WT based on the size of the program P2 and a unit time of writing 
10 specific to the ROM 16. The writing time may be calculated for the entire 
program P2 or for each partial program code of the program P2 received 
from the rewriting device 11. 
[0026] 

The rewriting device 11 comprises a security release requesting 
15 part 20, a rewriting initialization part 21, a deleting requesting part 23 
and a deleting result requesting part 25, which are stored in a memory of 
the rewriting device 11 as programs. The security release requesting part 
20 requests the ECU 10 to release the security so that rewriting to the 
rewritable ROM 16 of the ECU 10 is permitted. The rewriting 
2 0 initialization part 21 performs a process necessary to start deleting and 
writing operation. The deleting requesting part 23 requests the ECU 10 
to delete the program PI in the ROM 16, which is an object of the 
rewriting operation. The deleting result requesting part 25 requests the 
result of the deleting operation from the ECU 10 to determine whether 
2 5 the deleting operation is in progress or has been completed. 
[0027] 
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The rewriting device 11 preferably comprises a deleting time 
acquiring part 22 to acquire from the ECU 10 the deleting time DT 
necessary to delete the program PI stored in the rewritable ROM 16. For 
example, before or when the deleting requesting part 23 requests the 
5 ECU 10 to delete the program PI, the deleting time acquiring part 22 
acquires from the ECU 10 the deleting time DT calculated by the deleting 
time calculating part 37. 
[0028] 

In another embodiment, the deleting time calculating part 37 may 
10 be provided in the rewriting device 11 to calculate the deleting time DT in 
the rewriting device. The rewriting device 11 may have a unit time of 
deletion specific to the ROM 16 and program PI in advance or may 
request a unit time of deletion from the ECU 10. Thus, the rewriting 
device 11 can calculate the deleting time DT. 
15 [0029] 

The rewriting device 11 also comprises a writing requesting part 27, 
a writing result requesting part 29 and a data block assembling part 30, 
which are stored in a memory as programs. The data block assembling 
part 30 converts program codes of the new program P2, which is to be 

2 0 transferred to the ECU 10, into data blocks suitable for serial 
communication. The data block assembling part 30 divides the program 
that is to be transferred into partial program codes each having a 
predetermined length (for example, eight bits), and adds an address field 
to respective partial program codes to assemble serial data blocks. The 

2 5 address field includes a leading address of the ROM in which the partial 
program code is to be stored so as to notify the ECU 10 of the memory 
location in which the partial program code is to be stored. 
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[0030] 

The writing requesting part 27 requests the ECU 10 to write the 
new program P2 into the rewritable ROM 16 and serially sends the data 
blocks for the new program P2 assembled by the data block assembling 
5 part 30. The writing result requesting part 29 requests the result of the 
writing operation from the ECU 10 to determine whether the writing 
operation is in progress or has been completed. 
[0031] 

The rewriting device 11 preferably comprises a writing time 
10 acquiring part 26 to acquire from the ECU 10 the writing time WT 
necessary to write the new program P2 into the rewritable ROM 16. For 
example, before or when the writing requesting part 27 requests the ECU 
10 to write the program P2, the writing time acquiring part 26 acquires 
from the ECU 10 the writing time WT calculated by the writing time 
15 calculating part 38. In the embodiment, the writing time acquiring part 
26 acquires the time necessary to write the partial program code 
transferred at a time, Alternatively, the writing time acquiring part 26 
may acquire the time necessary to write the entire program P2. 
[0032] 

2 0 In another embodiment, the writing time calculating part 38 may 

be provided in the rewriting device 11 to calculate the writing time WT in 
the rewriting device. The rewriting device 11 may have a unit time of 
writing in advance or may request a unit time of writing from the ECU 10. 
Thus, the rewriting device 11 can calculate the writing time WT based on 

2 5 the size of the new program P2. 
[0033] 
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The rewriting device 11 also comprises an offline determining part 
31. The offline determining part 31 judges whether the communication is 
offline. The offline determining part 31 compares a response time of the 
ECU 10 to a request by the deleting requesting part 23 with a 
5 predetermined first determination time DTI and determines that the 
communication is offline if the response time exceeds the first 
determination time DTI. 
[0034] 

In addition, when deleting operation is being performed in the ECU 
10 10, the offline determining part 31 prohibits the determination of offline 
until the response time exceeds the first determination time DTI and 
then reaches a predetermined second determination time DT2. As a result, 
an erroneous determination of offline due to a busy state where deleting 
operation is being performed can be avoided. More specifically, the offline 
15 determining part 31 compares a response time of the ECU 10 to a request 
by the deleting result requesting part 25 with the second determination 
time DT2 and determines that the communication is offline if the 
response time exceeds the second determination time DT2. The second 
determination time DT2 is a reference time used for determining that the 
2 0 communication is offline when the deleting part 35 is performing the 
deleting operation. The determination time DT2 is established to satisfy 
DTI < DT2. 
[0035] 

In a similar way, the offline determination part 31 compares a 
2 5 response time of the ECU 10 to a request by the writing requesting part 
27 with a predetermined first determination time WT 1 and determines 
that the communication is offline if the response time exceeds the first 
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determination time WT1. The value of the first determination time WT1 
may be consistent with or different from the value of the first 
determination time DTI. 
[0036] 

5 In addition, when writing operation is being performed in the ECU 

10, the offline determining part 31 prohibits the determination of offline 
until the response time exceeds the first determination time WT1 and 
then reaches a predetermined second determination time WT2. As a 
result, an erroneous determination of offline due to a busy state where 

10 writing operation is being performed can be avoided. More specifically, 
the offline determining part 31 compares a response time of the ECU 10 
to a request by the writing result requesting part 29 with the second 
determination time WT2 and determines that the communication is 
offline if the response time exceeds the second determination time WT2. 

15 The second determination time WT2 is a reference time used for 
determining that the communication is offline when the writing part 36 is 
performing the writing operation. The determination time WT2 is 
established to satisfy WT1 < WT2. 
[0037] 

2 0 Preferably, when the deleting time acquiring part 22 acquires the 

deleting time DT, the deleting time DT is set in the second determination 
time DT2. Similarly, when the writing time acquiring part 26 acquires the 
writing time WT, the writing time WT is set in the second determination 
time WT2. Thus, when deleting or writing operation is being performed, 

2 5 since the determination of offline is made based on the deleting time or 
writing time optimized in accordance with the specification of the ROM, 
the time for determining the offline can be minimized, the accuracy of the 
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determination being improved. Alternatively, as is the case for the first 
determination time DTI and WT1, the second determination time DT2 
and WT2 may also be predetermined as fixed values. 
[0038] 

5 Referring to FIG. 2, rewriting operation according to the rewriting 

system shown in FIG. 1 will be described. The rewriting operation is 
initiated, for example, by pushing a button provided on the rewriting 
device 11 after it has been connected to the ECU 10. Alternatively, the 
rewriting operation may be initiated by operating the ECU 10. 
10 [0039] 

At step 41, the security release requesting part 20 of the rewriting 
device 11 sends a signal to the ECU 10 indicative of a request for 
releasing security. The authentication part 33 of the ECU 10 responds to 
the signal and initiates an authentication process for confirming that the 

15 authorized rewriting device is connected. The authentication process can 
be carried out in an arbitrary manner. For example, the rewriting device 
11 and the ECU 10 have security functions, respectively. Each of the 
rewriting device 11 and the ECU 10 calculates its own function value for 
a given same number. The function value of the rewriting device 11 is 

2 0 compared with the function value of the ECU 10. If the rewriting device is 
authentic, the function value of the rewriting device 11 would be the same 
as the function value of the ECU 10 because the rewriting device has the 
same security function as the ECU 10. If the two function values are the 
same, the ECU 10 sends a signal to the rewriting device 11 indicative of a 

2 5 permission of rewriting. Thus, the security is released. 
[0040] 
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If rewriting is permitted, the rewriting initialization part 21 of the 
rewriting device 11 sends a signal to the ECU 10 indicative of start of 
rewriting. The initialization part 34 of the ECU 10 returns a signal to the 
rewriting device indicative of a permission of start of rewriting when 
5 ready for rewriting (step 42). The rewriting initialization part 21 sends a 
request to the ECU 10 for shifting to a rewriting operation mode. The 
initialization part 34 of the ECU 10 executes a process of shifting to the 
rewriting operation mode (step 43). The rewriting initialization part 21 
queries the ECU 10 if the shift has been completed. If the shift has been 
10 completed, the rewriting initialization part 34 sends a signal to the 
rewriting device 11 indicative of completion of the shift (step 44). 
[0041] 

The deleting time acquiring part 22 of the rewriting device 11 
requests the time necessary to delete the program PI. In response to the 

15 request, the deleting time calculating part 37 of the ECU 10 calculates 
the deleting time DT and sends it to the rewriting device 11 (step 45). The 
deleting time acquiring part 22 sets the acquired deleting time DT in the 
second determination time DT2. The deleting requesting part 23 of the 
rewriting device 11 requests the ECU 10 to delete the program PI. In 

2 0 response to the request, the deleting part 35 of the ECU 10 sends a signal 
indicative of start of deleting operation (step 46). If a response time of the 
signal indicative of start of deleting operation exceeds the first 
determination time DTI, the offline determination part 31 of the 
rewriting device 11 determines that the communication is offline. 

2 5 [0042] 

At step 47, the deleting result requesting part 25 of the rewriting 
device 11 requests the result of the deleting operation. The request for the 
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result of the deleting operation is repeatedly sent until the deleting result 
requesting part 25 receives from the ECU 10 a signal indicative of 
completion of the deleting operation. Alternatively, after a predetermined 
time is elapsed from the time at which the request for the deleting 
5 operation is sent, the request for the result of the deleting operation may 
be sent at a predetermined time interval. If a response time of the ECU 
10 to the request for the result of the deleting operation exceeds the 
second determination time DT2, the rewriting device determines that the 
communication is offline. When the deleting operation of the program PI 
10 stored the ROM 16 has been completed, the deleting part 35 of the ECU 
10 sends a signal to the rewriting device 11 indicative of completion of the 
deleting operation. 
[0043] 

In the rewriting device 11, the new program P2 has been prepared 
15 by the data block assembling part 30 as serial data blocks. Assembling of 
the data blocks from the program P2 is typically performed before the 
security release request or the rewriting start signal is sent to the ECU 
10. Alternatively, it may be performed immediately before step 47 or 48. 
[0044] 

2 0 The writing time acquiring part 26 of the rewriting device 11 

requests the time necessary to write the new program P2. In response to 
the request, the writing time calculating part 38 of the ECU 10 calculates 
the writing time WT and sends it to the rewriting device 11 (step 48). The 
writing time acquiring part 26 sets the writing time WT in the second 

2 5 determination time WT2. 
[0045] 
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At step 49, the writing requesting part 27 of the rewriting device 11 
transfers a data block including a partial program code of the new 
program P2 to the ECU 10 together with a signal indicative of a request 
for writing operation. In response to the request, the writing part 36 of 
5 the ECU 10 sends a signal to the rewriting device 11 indicative of start of 
writing operation. The writing part 36 examines an address field of the 
data block received from the rewriting device 11 to write the partial 
program code included in the data block into the location of the rewritable 
ROM 16 that is indicated by the address value in the address field. A 

10 check mechanism may be provided for determining whether the address 
value in the address field of the data block is included in addresses of 
data deleted by the deleting part 35. If a response time of the signal 
indicative of start of writing operation from ECU 10 exceeds the first 
determination time WT1, the offline determination 31 determines that 

15 the communication is offline. 
[0046] 

The writing result requesting part 29 of the rewriting device 11 
requests the result of the writing operation from the ECU 10 (step 50). 
The request for the result of the writing operation is repeatedly sent until 

2 0 the writing result requesting part 29 receives from the ECU 10 a signal 
indicative of completion of the writing operation. Alternatively, after a 
predetermined time is elapsed from the time at which the request for the 
writing operation is sent, the request for the result of the writing 
operation may be sent at a predetermined time interval. If a response 

2 5 time of the ECU 10 to the request for the result of the writing operation 
exceeds the second determination time WT2, it is determined that the 
communication is offline. When the writing operation has been completed, 



18/26 



JPA 2000-112125 
(Priority Document) 




the writing part 36 sends a signal to the rewriting device 11 indicative of 

completion of the writing operation. 

[0047] 

The writing requesting part 27 transfers a next data block to the 
5 ECU 10 if the completion signal indicates a normal end. The steps 49 and 
50 are repeated until all the program code of the program P2 is written 
into the ROM 16. When writing of all the program codes has been 
completed, the writing requesting part 27 requests the ECU 10 to release 
the rewriting operation mode (step 51). In response to the request, the 
10 writing part 36 releases the rewriting operation mode. 
[0048] 

FIGS. 3, 4 and 5 are flow charts showing deleting and writing 
operation. The operation shown in FIG. 3 is carried out by the deleting 
time acquiring part 22, deleting requesting part 23, deleting result 
15 requesting part 25 and offline determination part 31. The operation 
shown in FIG. 4 is carried out by the writing time acquiring part 26, 
writing requesting part 27, writing result requesting part 29 and offline 
determination part 31. 
[0049] 

2 0 At step 60, the rewriting device 11 sends a signal indicative of a 

request for the deleting time to the ECU 10. When the deleting time DT 
is received from the ECU (step 61), the deleting time DT is set in the 
second determination time DT2 (step 64). The rewriting device 11 sends a 
signal to the ECU 10 indicative of a request for deleting operation (step 

2 5 65). 

[0050] 
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If there is no response from the ECU 10 at steps 61 and 66, it is 
determined whether the predetermined first determination time DTI (for 
example, 30 milliseconds) has elapsed (steps 62 and 67). If the first 
determination time DTI has not elapsed, the process returns to steps 61 
5 and 66, respectively, and rewriting device 11 waits a response from the 
ECU 10 again. If there is no response until the first determination time 
DTI has elapsed, it is determined that the communication between the 
rewriting device 11 and the ECU 10 is offline (steps 63 and 68). 



device 11 sends a signal to the ECU 10 indicative of a request for the 
result of the deleting operation (step 70). If there is a response to the 
request from the ECU 10 (step 71), it is checked whether the response 
indicates completion of the deleting operation (step 72). If the response 

15 indicates completion of the deleting operation, the process proceeds to 
step 76. If the deleting operation is in progress and the response does not 
indicate completion of the deleting operation, the process returns to step 
70, and the signal indicative of a request for the result of the deleting 
operation is sent to the ECU 10 again. Alternatively, the return to step 70 

2 0 may be made after a predetermined period. 



At step 71, if there is no response from the ECU 10, it is checked 
whether the first determination time DTI has elapsed (step 73). If the 
first determination time DTI has not elapsed, the process returns to step 
2 5 71, and the rewriting device 11 waits a response from the ECU 10 again. 
If there is no response until the first determination time DTI has elapsed, 
it is checked whether the second determination time DT2 (for example, 



[0051] 



10 



If there is a response from the ECU 10 at step 66, the rewriting 



[0052] 
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400 milliseconds) has elapsed (step 74). If there is no response until the 
second determination time DT2 has elapsed, it is determined that the 
communication is offline (step 75). 
[0053] 

5 Thus, when deleting operation is being performed, the 

determination of offline is made based on the second determination time 
that is longer than the first determination time. As a result, an erroneous 
determination of offline when deleting operation is being performed can 
be avoided. In addition, the determination of offline can be made more 
10 accurately since the second determination time is predetermined in 
accordance with the specification of the ROM. 
[0054] 

At step 76, if the deleting operation ends normally, the process 
proceeds to step 80 in FIG. 4. If the deleting operation does not end 
15 normally, the process exits from this routine. Steps following the step 80 
are showing a process regarding writing operation in the rewriting device. 
The offline determination in the writing operation is made in a similar 
way to the offline determination carried out in the deleting operation. 
[0055] 

2 0 At step 80, a signal indicative of a request for the writing time is 

sent to the ECU 10. The rewriting device 11 receives the writing time WT 
and sets it in the second determination time WT2 (step 84). The process 
proceeds to step 85, and a data block including a partial program code of 
the new program P2 is transferred to the ECU 10. 

2 5 [0056] 

At steps 81 and 86, if there is no response from the ECU 10 until 
the predetermined determination time WT1 (for example, 30 
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milliseconds) has elapsed, it is determined that the communication is 

offline (steps 83 and 88). 

[0057] 

If there is a response from the ECU at step 86, a signal indicative of 
5 a request for the result of the writing operation is sent to the ECU (step 
90). If there is a response to the request, it is checked whether the 
response indicates completion of the writing operation (step 92). If the 
response indicates completion of the writing operation, the process 
proceeds to step 96. If the writing operation is in progress and the 
10 response does not indicate completion of the writing operation, the 
process returns to step 90, and the rewriting device 11 sends the signal to 
the ECU indicative of a request for the result of the writing operation 
again. The return to step 90 may be made after a predetermined period. 
[0058] 

15 If there is no response from the ECU at step 91, it is checked 

whether the first determination time WT1 has elapsed from the time at 
which the request for the result of the writing operation is sent (step 93). 
If the first determination time WT1 has not elapsed, the process returns 
to step 91, and the rewriting device 11 waits a response from the ECU 

2 0 again. If there is no response until the first determination time WT1 has 
elapsed, it is checked whether the second determination time WT2 (for 
example, 400 milliseconds) has elapsed from the time at which the first 
request for the result of the writing operation is sent (step 94). If there is 
no response until the second determination time WT2 has elapsed, it is 

2 5 determined that the communication is offline (step 95). 
[0059] 
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Thus, when writing operation is being performed, the 
determination of offline is made based on the second determination time 
that is longer than the first determination time. As a result, an erroneous 
determination of offline when writing operation is being performed can be 
5 avoided. In addition, the determination of offline can be made more 
accurately because the second determination time is predetermined in 
accordance with the specification of the ROM. 
[0060] 

At step 96, if it is determined that the writing operation ends 
10 normally, the process returns step 80 to transfer the next data block. 
Thus, at step 97, if all the program codes of the new program P2 have 
been sent to the ECU, the process exits from this routine. 
[0061] 

FIG. 5 shows a flow chart of deleting and writing operation carried 
15 out in the ECU. If a signal indicative of a request for the deleting time is 
received at step 101, the deleting time DT is calculated and sent to the 
rewriting device 11 (step 102). If a signal indicative of a request for 
deleting operation is received at step 103, a signal indicative of start of 
the deleting operation is sent to the rewriting device (step 104), and the 
2 0 deleting operation is performed (step 105). If a signal indicative of a 
request for the result of the deleting operation is received from the 
rewriting device when the deleting operation is in progress or has been 
completed (step 106), a signal indicative of the result of the deleting 
operation is sent to the rewriting device (step 107). The result signal 
2 5 shows the state of the deleting operation, in such a manner that a value 
"1" indicates completion of the deleting operation and a value "0" 
indicates that the deleting operation is in progress. 
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[0062] 

In a similar way, if a signal indicative of a request for the writing 
time is received from the rewriting device (step 111), the writing time WT 
is calculated and is sent to the rewriting device (step 112). If a data block 
5 of the new program P2 is received from the rewriting device at step 113, a 
signal indicative of start of writing operation is sent to the rewriting 
device (step 114), and a partial program code included in the received 
data block is written into the rewritable ROM (step 115). If a signal 
indicative of a request for the result of the writing operation is received 

10 from the rewriting device (step 116) when the writing operation is in 

progress or has been completed, the result of the writing operation is sent 
to the rewriting device (step 117). The writing result signal shows the 
state of the writing operation, in such a manner that a value "1" indicates 
completion of the writing operation and a value "0" indicates that the 

15 writing operation is in progress. The transfer of the program from the 
rewriting device to the ECU is executed for each data block. Therefore, 
steps 113 through 117 are repeated until all the data blocks of the 
program are received (step 118). 
[0063] 

2 0 [Advantageous Effect of the Invention] 

According to the invention as defined in claim 1, an erroneous 
determination of offline when the vehicle controller is performing deleting 
or writing operation on a memory can be avoided. 
[0064] 

2 5 According to the invention as defined in claim 2, since an offline 

determination is made based on an appropriate time required for the 
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deleting or writing operation when deleting or writing operation is being 
performed, the accuracy of the offline determination is improved. 
[Brief Description of the Drawings] 

[FIG. l] A block diagram showing a general view of a rewriting 
system according to one embodiment of the invention. 

[FIG. 2] An operational procedure of a rewriting system according 
to one embodiment of the invention. 

[FIG. 3] A flow chart showing deleting and writing operation in a 
rewriting device according to one embodiment of the invention. 

[FIG. 4] A flow chart showing deleting and writing operation in a 
rewriting device according to one embodiment of the invention. 

[FIG. 5] A flow chart showing deleting and writing operation in a 
vehicle controller according to one embodiment of the invention. 

[FIG. 6] A flow chart showing conventional deleting and writing 
operation in a rewriting device. 

[FIG. 7] A flow chart showing conventional deleting and writing 
operation in a vehicle controller. 

[FIG. 8] shows a typical form of a CPU and a memory in a vehicle 
controller. 

[Explanations of Referenced Numerals] 

10 ECU 11 Rewriting device 

12 Interface 14 CPU 

16 Rewritable ROM 17 Non-rewritable ROM 
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[Document Name] Abstract 
[Abstract] 

[Problems to be Solved] An erroneous determination of offline is avoided 
when deleting or writing operation on a memory of a vehicle controller is 
being performed. 

[Means to Solve the Problems] A rewriting system for rewriting data 
stored in a memory of a vehicle controller with new data transferred from 
a rewriting device, the rewriting device comprising an offline 
determination means for determining that communication is offline if a 
response time of the vehicle controller exceeds a first predetermined time 
and an offline prohibiting means for prohibiting the offline determination 
until a response time of the vehicle controller exceeds the first 
predetermined time and then reaches a second predetermined time when 
deleting or writing operation on the memory is being performed. It is 
preferable to set the time required for the deleting or writing operation 
based on the specification of a ROM in the second predetermined time. 
Since the offline determination is prohibited until the time required for 
the deleting or writing operation has elapsed, an erroneous offline 
determination is avoided. 
[Selected Figure] Figure 1 
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[Document Name] Drawings 
[FIG. 1] 
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